Violations of the Health Insurance Portability and Accountability Act (HIPAA) generally involve computer breaches or procedural snafus. But a recent incident involving a mailing by insurer Aetna illustrates that HIPAA obligations are equally applicable to paper communication.
Consumer advocates complained that a July 28, 2017 letter from the insurer effectively exposed the HIV status of approximately 12,000 recipients. The letter, outlining options for HIV medication prescriptions, may have been visible through a window in the envelope.
Aetna apologized, while noting that not every envelope in the mailing was affected. Nevertheless, it is in the process of contacting both state and federal regulators. Since HIPAA defines the inadvertent disclosure of personal health information as a breach, the incident is being treated as one. Aetna has notified potentially affected individuals. The notification stressed that "the viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition."
If the complaints are borne out, Aetna could be fined for violating HIPAA provisions on safeguarding PHI as well as state regulatory obligations governing disclosure of patient health information,
The incident highlights the need for all covered entitled entities and business associates to regularly review their practices to ensure protection of PHI confidentiality. While media and public attention remains focused on hackers, sometimes the threat may simply be the wrong envelope.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
